[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases
martbab
freeipa-github-notification at redhat.com
Mon Nov 14 12:39:57 UTC 2016
URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases
martbab commented:
"""
Also, the current execution flow of the command is very confusing (retrieving objects based on intended principal types etc.). As a part of the ticket I was planning to do a sneaky refactoring of the flow which IMHO should look like this:
1.) you search entries by krbprincipalname extracted from 'principal' option (or from bind principal)
2.) If not found, you error out that such entry could not be found
3.) due to syntax overrides in ipaldap, all returned principals will be converted to Principal objects so *after you retrieve the entry and ensure that it exists* you can test whether it is service, user, etc.
4.) for values in SAN, you check whether the value is already container in the entries principals (as you do in this PR). If the principal is not there, you can try to retrieve the entry from ldap and either error out if not found, or check CA ACLs against it when present.
5.) if all is OK, forward the request to RA backend and issue the certificate.
Do you think that this would extend the scope of the ticket too much? If yes, I can open a separate ticket for this cleanup and do it on top of your work.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-260324953
More information about the Freeipa-devel
mailing list